"NIS2 will keep businesses busy for years" - Interview with IT security expert Manuel Atug

Manuel “HonkHase” Atug has been working in information security and critical infrastructure protection as a consultant and auditor for well over 23 years. He deals with the topics of critical infrastructure, hack back, ethics, hybrid warfare, cyber resilience, civil protection, and disaster control.

HonkHase is a graduate computer scientist, Master of Science in Applied IT Security, and engineer. He is also the founder and spokesperson of the independent working group Critical Infrastructures (AG KRITIS) and co-founder of the independent working group Sustainable Digitalization (AGND) together with Caroline Krohn in Germany. His social media handle is @HonkHase.

Tresorit: Hello HonkHase. Many sectors subject to the CER Directive are stepping up their digitization game and thus also affect NIS2. Why is the EU creating two laws with CER and NIS2 instead of integrating them?

Manuel Atug: I suspect the reason is that physical security and cyber security were already considered separately in the past. In the meantime, we have seen from IT and cyber security developments that it is hardly possible to consider them separately. Instead, we must look at cyber-physical security. One example is data centers: their physical security has always been a cyber security issue. But if we look at physical and cyber security in general, they are still different topics. They are merging more and more but remain distinct disciplines. That's probably why we consider them separately.

Just as IT and OT, that is, process automation in industrial plants and IT operations, have always been different subjects. I have the operations manager on one side and the IT security officer on the other. However, the two disciplines now have more and more transitions and similarities, just like physical and cyber security. Legislators are taking much longer to see and take account of this kind of development and are lagging. After all, we cannot discuss and reach agreements in this regard in one year or so; such a process takes years.

Tresorit: Let’s talk industry 4.0. What progress has Germany made in protecting cyber-physical systems?

Manuel Atug: I think Germany is in as good or as bad a position as many other nations around the world. If we look at industry 4.0 components, that is, PLC controllers, SCADA systems, PLCs, and the like, we always see the same few manufacturers – ABB, Siemens and so on. They are used worldwide, installed, and not touched for decades. In this respect, Germany is as well and as badly positioned as everyone else.

Nobody who has just built a factory is constantly updating it with the latest security updates or products. The existing process automation is to be operational for dozens of years. In this respect, we all have the same problem when it comes to security levels. New standards are being developed, but this will still take many, many years.

Tresorit: How do you assess the roadmap for implementing the new legal requirements from NIS2?

Manuel Atug: The German IT Security Act dates to 2015, NIS1 to 2016. The actual security implementation started in 2018/19 and we still have critical infrastructure operators who are not fully implementing the legal requirements because they are simply still working on it. If we apply this development to NIS2 and the so-called German “KRITIS umbrella law,” not much will happen before 2026/27.

There are similarities with GDPR in 2015. One example is the two-year transition period most people had let pass before they acted. First, the authorities must become active and exert pressure; however, in the case of NIS2, they will only be able to apply for posts and budget funds starting in 2024. They will then put the latter out to tender, use the funds to fill roles and positions, and these in turn will then think about the process before approaching operators. This means that with NIS2 – which will come into force immediately in October 2024 without an implementation deadline and affect around 29,000 companies and 4,700 critical infrastructure operators in Germany – everyone will be fighting over the same staff and specialists due to the shortage. It will again take years to implement all of this. And at the same time, it will take the authorities years again to fulfill their inspection obligations.

Tresorit: What key measures are operators and suppliers currently taking to build resilience?

Manuel Atug: Basically, cyber security and physical security must be implemented. There is a lot of state of the art and best practices in this regard, for example against natural disasters, fire, water, sabotage, intruders on the production site, IT security threats, and so on. You can set up an information security management system, think about emergency management and see what a reasonable incident response should look like. If I already have good processes and security is part of the company culture, I can also take care of the next level and have everything checked in internal audits – or externally through penetration tests.

But if I'm still at the beginning, a pen test makes no sense. It would be going in the wrong direction. If I don't have a secure system yet, the pen test sample doesn't tell me much more than “You must act now.” But I don't need the sample for that. Inventorying the IT network, admin rights and security patch management, as well as appointing an IT security officer, for example, are measures that I can implement right away, with or without new laws.

Tresorit: Both the number of connected devices and professional cyberattacks on supply chains continues to rise – sometimes with serious consequences beyond the sectors concerned. Do the critical infrastructure boundaries need updating?

Manuel Atug: The critical infrastructure sectors are defined and should remain like this. Otherwise, everything would be critical, everything would be relevant, and we would have no differentiation. The critical infrastructure sectors concern public safety or the provision of services to the population. There is a debate about whether media and culture should be part of it even though it is defined as such a sector. It should be left in the set of critical infrastructure sectors because it is a sensibly defined one. The German Federal Office of Civil Protection and Disaster Assistance has a definition that also includes the ten known critical infrastructure sectors, as well as large research institutions and the chemical industry. However, the latter haven’t been addressed in Germany and other parts of Europe yet. Here we have a deficit that is to be rectified.

The legal requirements set out in NIS1 and NIS2 or the “KRITIS umbrella law” must be addressed by the operator of a critical infrastructure. If they work with a service provider for certain parts, the operator has the responsibility and must also pass this on to the service provider so that they implement the security measures. This still happens too rarely, even though the laws require it. In any case, future best practices for entire industries will be derived from everything that operators are currently implementing, including those that serve fewer than 500,000 people and are therefore not relevant according to critical infrastructure. There will also be a change here, but again, this will only happen after years.